Issue with libnss-ldap on Debian squeeze, trying anonymous bind with a binddn

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Jérémie Grauer <jeremie.grauer [at] cosium.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Issue with libnss-ldap on Debian squeeze, trying anonymous bind with a binddn
Date: Thu, 11 Oct 2012 21:23:33 +0200

Hello,

I have an OpenLDAP server that disallow anonymous search and I'm trying to connect an other server on it to manage the users/groups.
Everything is working fine until I try to auth myself with any user. I worked on it today but I really have no idea why this doesn't work...

I installed libnss-ldapd via aptitude and double-checked the configuration file.
I have created a test user that have admin read/write right on the whole LDAP tree (just to remove any eventual right issue), and I have configured this user as the binddn:

nslcd.conf :

uid nslcd
gid nslcd
uri ldap://ldap.example.com/
base dc=example,dc=com
binddn uid=test,ou=special,dc=example,dc=com
bindpw test

nsswitch.conf :

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

and here is a typical LDAP entry:

dn: uid=abeta,ou=people,dc=example,dc=com
cn: alpha beta
displayName: alpha beta
gidNumber: 22222
givenName: alpha
homeDirectory: /home/abeta
loginShell: /bin/bash
mail: abeta [at] example.com
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
sn: beta
uid: abeta
uidNumber: 11111
userPassword: test

Getent passwd works fine :

$ getent passwd|grep alpha
abeta:x:11111:22222:alpha beta:/home/abeta:/bin/bash

But when I try to connect as this user (su - or ssh), this is result from the user perspective:
$ su - abeta
Password:
su: Authentication failure

debug information from nslcd:

== su - entered here ==

nslcd: [52255a] DEBUG: connection from pid=13635 uid=0 gid=1000
nslcd: [52255a] DEBUG: nslcd_passwd_byname(abeta)
nslcd: [52255a] DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=abeta))")
nslcd: [52255a] DEBUG: ldap_result(): end of results

== password entered by the user here ==

nslcd: [9cf92e] DEBUG: connection from pid=13635 uid=0 gid=1000
nslcd: [9cf92e] DEBUG: nslcd_passwd_byname(abeta)
nslcd: [9cf92e] DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=abeta))")
nslcd: [9cf92e] DEBUG: ldap_result(): end of results
nslcd: [ed7263] DEBUG: connection from pid=13635 uid=0 gid=1000
nslcd: [ed7263] DEBUG: nslcd_shadow_byname(abeta)
nslcd: [ed7263] DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=shadowAccount)(uid=abeta))")
nslcd: [ed7263] DEBUG: ldap_result(): end of results

== auth failure ==

From Openldap perspective, this is what I got:

== su - entered ==

Oct 11 20:57:43 mail slapd[22770]: conn=2604 fd=10 ACCEPT from IP=11.22.33.6:41966 (IP=11.22.33.10:389)
Oct 11 20:57:43 mail slapd[22770]: conn=2604 op=0 BIND dn="uid=test,ou=special,dc=example,dc=com" method=128
Oct 11 20:57:43 mail slapd[22770]: conn=2604 op=0 BIND dn="uid=test,ou=special,dc=example,dc=com" mech=SIMPLE ssf=0
Oct 11 20:57:43 mail slapd[22770]: conn=2604 op=0 RESULT tag=97 err=0 text=
Oct 11 20:57:43 mail slapd[22770]: conn=2604 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=abeta))"
Oct 11 20:57:43 mail slapd[22770]: conn=2604 op=1 SRCH attr=userPassword cn gidNumber uidNumber loginShell objectClass gecos uid homeDirectory
Oct 11 20:57:43 mail slapd[22770]: conn=2604 op=1 ENTRY dn="uid=abeta,ou=people,dc=example,dc=com"
Oct 11 20:57:43 mail slapd[22770]: conn=2604 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

== password entered ==

Oct 11 20:58:12 mail slapd[22770]: conn=2607 fd=12 ACCEPT from IP=11.22.33.6:41967 (IP=11.22.33.10:389)
Oct 11 20:58:12 mail slapd[22770]: conn=2607 op=0 BIND dn="uid=test,ou=special,dc=example,dc=com" method=128
Oct 11 20:58:12 mail slapd[22770]: conn=2607 op=0 BIND dn="uid=test,ou=special,dc=example,dc=com" mech=SIMPLE ssf=0
Oct 11 20:58:12 mail slapd[22770]: conn=2607 op=0 RESULT tag=97 err=0 text=
Oct 11 20:58:12 mail slapd[22770]: conn=2607 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=abeta))"
Oct 11 20:58:12 mail slapd[22770]: conn=2607 op=1 SRCH attr=userPassword cn gidNumber uidNumber loginShell objectClass gecos uid homeDirectory
Oct 11 20:58:12 mail slapd[22770]: conn=2607 op=1 ENTRY dn="uid=abeta,ou=people,dc=example,dc=com"
Oct 11 20:58:12 mail slapd[22770]: conn=2607 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct 11 20:58:12 mail slapd[22770]: conn=2608 fd=13 ACCEPT from IP=11.22.33.6:41968 (IP=11.22.33.10:389)
Oct 11 20:58:12 mail slapd[22770]: conn=2608 op=0 BIND dn="uid=test,ou=special,dc=example,dc=com" method=128
Oct 11 20:58:12 mail slapd[22770]: conn=2608 op=0 BIND dn="uid=test,ou=special,dc=example,dc=com" mech=SIMPLE ssf=0
Oct 11 20:58:12 mail slapd[22770]: conn=2608 op=0 RESULT tag=97 err=0 text=
Oct 11 20:58:12 mail slapd[22770]: conn=2608 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=abeta))"
Oct 11 20:58:12 mail slapd[22770]: conn=2608 op=1 SRCH attr=shadowFlag shadowMin shadowMax userPassword shadowWarning shadowInactive uid shadowExpire shadowLastChange
Oct 11 20:58:12 mail slapd[22770]: conn=2608 op=1 ENTRY dn="uid=abeta,ou=people,dc=example,dc=com"
Oct 11 20:58:12 mail slapd[22770]: conn=2608 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct 11 20:58:12 mail slapd[22770]: conn=2609 fd=14 ACCEPT from IP=11.22.33.6:41969 (IP=11.22.33.10:389)
Oct 11 20:58:12 mail slapd[22770]: conn=2609 op=0 BIND dn="" method=128
Oct 11 20:58:12 mail slapd[22770]: conn=2609 op=0 RESULT tag=97 err=0 text=
Oct 11 20:58:12 mail slapd[22770]: conn=2609 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(uid=abeta)"
Oct 11 20:58:12 mail slapd[22770]: conn=2609 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Oct 11 20:58:14 mail slapd[22770]: conn=2609 op=2 UNBIND
Oct 11 20:58:14 mail slapd[22770]: conn=2609 fd=14 closed

What I don't understand is why I have a connection at the end with BIND dn="" method=128, this seems like nslcd have the correct dn just above and then bind itself anonymously and does a search that's gonna see nothing (since anonymous user have no read access on the ldap tree).

Am I missing something? I tried with the old libnss-ldap but it doesn't work either.

Any help will be welcome.

Thanks,
Jeremie

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Issue with libnss-ldap on Debian squeeze, trying anonymous bind with a binddn, Jérémie Grauer

Re: Issue with libnss-ldap on Debian squeeze, trying anonymous bind with a binddn, Arthur de Jong
- Re: Issue with libnss-ldap on Debian squeeze, trying anonymous bind with a binddn, Jérémie Grauer

Prev by Date: Re: nslcd config and debconf
Next by Date: Re: Issue with libnss-ldap on Debian squeeze, trying anonymous bind with a binddn
Previous by thread: Re: nslcd config and debconf
Next by thread: Re: Issue with libnss-ldap on Debian squeeze, trying anonymous bind with a binddn